# SPDX-License-Identifier: GPL-2.0
#
# Linux Random Number Generator configuration
#

menuconfig LRNG
	bool "Linux Random Number Generator"
	select CRYPTO_LIB_SHA256 if CRYPTO
	help
	  The Linux Random Number Generator (LRNG) is the replacement
	  of the existing /dev/random provided with drivers/char/random.c.
	  It generates entropy from different noise sources and
	  delivers significant entropy during boot.

if LRNG

config LRNG_OVERSAMPLE_ENTROPY_SOURCES
	bool "Oversample entropy sources"
	default n
	help
	  When enabling this option, the entropy sources are
	  over-sampled with the following approach: First, the
	  the entropy sources are requested to provide 64 bits more
	  entropy than the size of the entropy buffer. For example,
	  if the entropy buffer is 256 bits, 320 bits of entropy
	  is requested to fill that buffer.

	  Second, the seed operation of the deterministic RNG
	  requests 128 bits more data from each entropy source than
	  the security strength of the DRNG during initialization.
	  A prerequisite for this operation is that the digest size
	  of the used hash must be at least equally large to generate
	  that buffer. If the prerequisite is not met, this
	  oversampling is not applied.

	  This strategy is intended to offset the asymptotic entropy
	  increase to reach full entropy in a buffer.

	  The strategy is consistent with the requirements in
	  NIST SP800-90C and is only enforced with fips=1.

	  If unsure, say N.

config LRNG_OVERSAMPLE_ES_BITS
	int
	default 0 if !LRNG_OVERSAMPLE_ENTROPY_SOURCES
	default 64 if LRNG_OVERSAMPLE_ENTROPY_SOURCES

config LRNG_SEED_BUFFER_INIT_ADD_BITS
	int
	default 0 if !LRNG_OVERSAMPLE_ENTROPY_SOURCES
	default 128 if LRNG_OVERSAMPLE_ENTROPY_SOURCES

choice
	prompt "Continuous entropy compression boot time setting"
	default LRNG_CONTINUOUS_COMPRESSION_ENABLED
	help
	  Select the default behavior of the continuous compression
	  operation.

	  The Linux RNG collects entropy data during each interrupt.
	  For performance reasons, a amount of entropy data defined by
	  the LRNG entropy collection pool size is concatenated into
	  an array. When that array is filled up, a hash is calculated
	  to compress the entropy. That hash is calculated in
	  interrupt context.

	  In case such hash calculation in interrupt context is deemed
	  too time-consuming, the continuous compression operation
	  can be disabled. If disabled, the collection of entropy will
	  not trigger a hash compression operation in interrupt context.
	  The compression happens only when the DRNG is reseeded. This
	  implies that old entropy data collected after the last
	  DRNG-reseed is overwritten with newer entropy data instead
	  of retaining its entropy with the compression operation.

	config LRNG_CONTINUOUS_COMPRESSION_ENABLED
		bool "Enable continuous compression (default)"

	config LRNG_CONTINUOUS_COMPRESSION_DISABLED
		bool "Disable continuous compression"
endchoice

config LRNG_ENABLE_CONTINUOUS_COMPRESSION
	bool
	default y if LRNG_CONTINUOUS_COMPRESSION_ENABLED
	default n if LRNG_CONTINUOUS_COMPRESSION_DISABLED

config LRNG_SWITCHABLE_CONTINUOUS_COMPRESSION
	bool "Runtime-switchable continuous entropy compression"
	help
	  Per default, the continuous compression operation behavior
	  is hard-wired into the kernel. Enable this option to allow
	  it to be configurable at boot time.

	  To modify the default behavior of the continuous
	  compression operation, use the kernel command line option
	  of lrng_sw_noise.lrng_pcpu_continuous_compression.

	  If unsure, say N.

choice
	prompt "LRNG Entropy Collection Pool Size"
	default LRNG_COLLECTION_SIZE_1024
	help
	  Select the size of the LRNG entropy collection pool
	  storing data without performing a compression operation.
	  The larger the collection size is, the faster the
	  average interrupt handling will be. However, on the
	  other hand the time until the LRNG received full entropy
	  during boot time is longer because entropy is only awarded
	  to events once they are compressed. The collection
	  size represents the number of bytes of the per-CPU
	  memory used to batch up entropy event data.

	  The default value is good for regular operations. Choose
	  larger sizes for servers whose boot time is of less
	  interest. Runtime memory is precious, choose a smaller
	  size.

	  The collection size is unrelated to the entropy rate
	  or the amount of entropy the LRNG can process.

	config LRNG_COLLECTION_SIZE_32
	depends on LRNG_CONTINUOUS_COMPRESSION_ENABLED
	depends on !LRNG_SWITCHABLE_CONTINUOUS_COMPRESSION
	depends on !LRNG_OVERSAMPLE_ENTROPY_SOURCES
		bool "32 interrupt events"

	config LRNG_COLLECTION_SIZE_256
	depends on !LRNG_OVERSAMPLE_ENTROPY_SOURCES
		bool "256 interrupt events"

	config LRNG_COLLECTION_SIZE_512
		bool "512 interrupt events"

	config LRNG_COLLECTION_SIZE_1024
		bool "1024 interrupt events (default)"

	config LRNG_COLLECTION_SIZE_2048
		bool "2048 interrupt events"

	config LRNG_COLLECTION_SIZE_4096
		bool "4096 interrupt events"

	config LRNG_COLLECTION_SIZE_8192
		bool "8192 interrupt events"

endchoice

config LRNG_COLLECTION_SIZE
	int
	default 32 if LRNG_COLLECTION_SIZE_32
	default 256 if LRNG_COLLECTION_SIZE_256
	default 512 if LRNG_COLLECTION_SIZE_512
	default 1024 if LRNG_COLLECTION_SIZE_1024
	default 2048 if LRNG_COLLECTION_SIZE_2048
	default 4096 if LRNG_COLLECTION_SIZE_4096
	default 8192 if LRNG_COLLECTION_SIZE_8192

menuconfig LRNG_DRNG_SWITCH
	bool "Support DRNG runtime switching"
	help
	  The Linux RNG per default uses a ChaCha20 DRNG that is
	  accessible via the external interfaces. With this configuration
	  option other DRNGs can be selected and loaded at runtime.

if LRNG_DRNG_SWITCH

config LRNG_KCAPI_HASH
	bool

config LRNG_DRBG
	tristate "SP800-90A support for the LRNG"
	depends on CRYPTO
	select CRYPTO_DRBG_MENU
	select CRYPTO_SHA512
	select LRNG_KCAPI_HASH
	help
	  Enable the SP800-90A DRBG support for the LRNG. Once the
	  module is loaded, output from /dev/random, /dev/urandom,
	  getrandom(2), or get_random_bytes_full is provided by a DRBG.

config LRNG_KCAPI
	tristate "Kernel Crypto API support for the LRNG"
	depends on CRYPTO
	depends on !LRNG_DRBG
	select CRYPTO_RNG
	select LRNG_KCAPI_HASH
	help
	  Enable the support for generic pseudo-random number
	  generators offered by the kernel crypto API with the
	  LRNG. Once the module is loaded, output from /dev/random,
	  /dev/urandom, getrandom(2), or get_random_bytes is
	  provided by the selected kernel crypto API RNG.
endif # LRNG_DRNG_SWITCH

config LRNG_JENT
	bool "Enable Jitter RNG as LRNG Seed Source"
	depends on CRYPTO
	select CRYPTO_JITTERENTROPY
	help
	  The Linux RNG may use the Jitter RNG as noise source. Enabling
	  this option enables the use of the Jitter RNG. Its default
	  entropy level is 16 bits of entropy per 256 data bits delivered
	  by the Jitter RNG. This entropy level can be changed at boot
	  time or at runtime with the lrng_base.jitterrng configuration
	  variable.

config LRNG_HEALTH_TESTS
	bool "Enable noise source online health tests"
	help
	  The online health tests validate the noise source at
	  runtime for fatal errors. These tests include SP800-90B
	  compliant tests which are invoked if the system is booted
	  with fips=1. In case of fatal errors during active
	  SP800-90B tests, the issue is logged and the noise
	  data is discarded. These tests are required for full
	  compliance with SP800-90B.

	  If unsure, say Y.

config LRNG_RCT_BROKEN
	bool "SP800-90B RCT with dangerous low cutoff value"
	depends on LRNG_HEALTH_TESTS
	depends on BROKEN
	default n
	help
	  This option enables a dangerously low SP800-90B repetitive
	  count test (RCT) cutoff value which makes it very likely
	  that the RCT is triggered to raise a self test failure.

	  This option is ONLY intended for developers wanting to
	  test the effectiveness of the SP800-90B RCT health test.

	  If unsure, say N.

config LRNG_APT_BROKEN
	bool "SP800-90B APT with dangerous low cutoff value"
	depends on LRNG_HEALTH_TESTS
	depends on BROKEN
	default n
	help
	  This option enables a dangerously low SP800-90B adaptive
	  proportion test (APT) cutoff value which makes it very
	  likely that the APT is triggered to raise a self test
	  failure.

	  This option is ONLY intended for developers wanting to
	  test the effectiveness of the SP800-90B APT health test.

	  If unsure, say N.

# Default taken from SP800-90B sec 4.4.1 - significance level 2^-30
config LRNG_RCT_CUTOFF
	int
	default 31 if !LRNG_RCT_BROKEN
	default 1 if LRNG_RCT_BROKEN

# Default taken from SP800-90B sec 4.4.2 - significance level 2^-30
config LRNG_APT_CUTOFF
	int
	default 325 if !LRNG_APT_BROKEN
	default 32 if LRNG_APT_BROKEN

menuconfig LRNG_TESTING_MENU
	bool "LRNG testing interfaces"
	depends on DEBUG_FS
	help
	  Enable one or more of the following test interfaces.

	  If unsure, say N.

if LRNG_TESTING_MENU

config LRNG_RAW_HIRES_ENTROPY
	bool "Enable entropy test interface to hires timer noise source"
	default y
	help
	  The test interface allows a privileged process to capture
	  the raw unconditioned high resolution time stamp noise that
	  is collected by the LRNG for statistical analysis. Extracted
	  noise data is not used to seed the LRNG.

	  The raw noise data can be obtained using the lrng_raw_hires
	  debugfs file. Using the option lrng_testing.boot_raw_hires_test=1
	  the raw noise of the first 1000 entropy events since boot
	  can be sampled.

config LRNG_RAW_JIFFIES_ENTROPY
	bool "Enable entropy test interface to Jiffies noise source"
	help
	  The test interface allows a privileged process to capture
	  the raw unconditioned Jiffies that is collected by
	  the LRNG for statistical analysis. This data is used for
	  seeding the LRNG if a high-resolution time stamp is not
	  available. If a high-resolution time stamp is detected,
	  the Jiffies value is not collected by the LRNG and no
	  data is provided via the test interface. Extracted noise
	  data is not used to seed the random number generator.

	  The raw noise data can be obtained using the lrng_raw_jiffies
	  debugfs file. Using the option lrng_testing.boot_raw_jiffies_test=1
	  the raw noise of the first 1000 entropy events since boot
	  can be sampled.

config LRNG_RAW_IRQ_ENTROPY
	bool "Enable entropy test interface to IRQ number noise source"
	help
	  The test interface allows a privileged process to capture
	  the raw unconditioned interrupt number that is collected by
	  the LRNG for statistical analysis. This data is used for
	  seeding the random32 PRNG external to the LRNG if a
	  high-resolution time stamp is available or it will be used to
	  seed the LRNG otherwise. Extracted noise data is not used to
	  seed the random number generator.

	  The raw noise data can be obtained using the lrng_raw_irq
	  debugfs file. Using the option lrng_testing.boot_raw_irq_test=1
	  the raw noise of the first 1000 entropy events since boot
	  can be sampled.

config LRNG_RAW_IRQFLAGS_ENTROPY
	bool "Enable entropy test interface to IRQ flags noise source"
	help
	  The test interface allows a privileged process to capture
	  the raw unconditioned interrupt flags that is collected by
	  the LRNG for statistical analysis. This data is used for
	  seeding the random32 PRNG external to the LRNG if a
	  high-resolution time stamp is available or it will be used to
	  seed the LRNG otherwise. Extracted noise data is not used to
	  seed the random number generator.

	  The raw noise data can be obtained using the lrng_raw_irqflags
	  debugfs file. Using the option lrng_testing.boot_raw_irqflags_test=1
	  the raw noise of the first 1000 entropy events since boot
	  can be sampled.

config LRNG_RAW_RETIP_ENTROPY
	bool "Enable entropy test interface to RETIP value noise source"
	help
	  The test interface allows a privileged process to capture
	  the raw unconditioned return instruction pointer value
	  that is collected by the LRNG for statistical analysis.
	  This data is used for seeding the random32 PRNG external
	  to the LRNG if a high-resolution time stamp is available or
	  it will be used to seed the LRNG otherwise. Extracted noise
	  data is not used to seed the random number generator.

	  The raw noise data can be obtained using the lrng_raw_retip
	  debugfs file. Using the option lrng_testing.boot_raw_retip_test=1
	  the raw noise of the first 1000 entropy events since boot
	  can be sampled.

config LRNG_RAW_REGS_ENTROPY
	bool "Enable entropy test interface to IRQ register value noise source"
	help
	  The test interface allows a privileged process to capture
	  the raw unconditioned interrupt register value that is
	  collected by the LRNG for statistical analysis. Extracted noise
	  data is not used to seed the random number generator.

	  The raw noise data can be obtained using the lrng_raw_regs
	  debugfs file. Using the option lrng_testing.boot_raw_regs_test=1
	  the raw noise of the first 1000 entropy events since boot
	  can be sampled.

config LRNG_RAW_ARRAY
	bool "Enable test interface to LRNG raw entropy storage array"
	help
	  The test interface allows a privileged process to capture
	  the raw noise data that is collected by the LRNG
	  in the per-CPU array for statistical analysis. The purpose
	  of this interface is to verify that the array handling code
	  truly only concatenates data and provides the same entropy
	  rate as the raw unconditioned noise source when assessing
	  the collected data byte-wise.

	  The data can be obtained using the lrng_raw_array debugfs
	  file. Using the option lrng_testing.boot_raw_array=1
	  the raw noise of the first 1000 entropy events since boot
	  can be sampled.

config LRNG_IRQ_PERF
	bool "Enable LRNG interrupt performance monitor"
	help
	  With this option, the performance monitor of the LRNG
	  interrupt handling code is enabled. The file provides
	  the execution time of the interrupt handler in
	  cycles.

	  The interrupt performance data can be obtained using
	  the lrng_irq_perf debugfs file. Using the option
	  lrng_testing.boot_irq_perf=1 the performance data of
	  the first 1000 entropy events since boot can be sampled.

config LRNG_ACVT_HASH
	bool "Enable LRNG ACVT Hash interface"
	help
	  With this option, the LRNG built-in hash function used for
	  auxiliary pool management and prior to switching the
	  cryptographic backends is made available for ACVT. The
	  interface allows writing of the data to be hashed
	  into the interface. The read operation triggers the hash
	  operation to generate message digest.

	  The ACVT interface is available with the lrng_acvt_hash
	  debugfs file.

config LRNG_TESTING
	bool
	default y if (LRNG_RAW_HIRES_ENTROPY || LRNG_RAW_JIFFIES_ENTROPY ||LRNG_RAW_IRQ_ENTROPY || LRNG_RAW_IRQFLAGS_ENTROPY || LRNG_RAW_RETIP_ENTROPY || LRNG_RAW_REGS_ENTROPY || LRNG_RAW_ARRAY || LRNG_IRQ_PERF || LRNG_ACVT_HASH)

endif #LRNG_TESTING_MENU

config LRNG_SELFTEST
	bool "Enable power-on and on-demand self-tests"
	help
	  The power-on self-tests are executed during boot time
	  covering the ChaCha20 DRNG, the hash operation used for
	  processing the entropy pools and the auxiliary pool, and
	  the time stamp management of the LRNG.

	  The on-demand self-tests are triggered by writing any
	  value into the SysFS file selftest_status. At the same
	  time, when reading this file, the test status is
	  returned. A zero indicates that all tests were executed
	  successfully.

	  If unsure, say Y.

if LRNG_SELFTEST

config LRNG_SELFTEST_PANIC
	bool "Panic the kernel upon self-test failure"
	help
	  If the option is enabled, the kernel is terminated if an
	  LRNG power-on self-test failure is detected.

endif # LRNG_SELFTEST

endif # LRNG
